World Bank CIO: 'IT is Not a Cost to Be Constrained'

The World Bank Group has an audacious goal: to promote economic growth and end extreme poverty by 2030. Making this happen behind the scenes is chief information officer Stephanie von Friedeburg. She oversees technology deployment, keeping communication flowing between 188 member countries operating out of 200 country offices, many in undeveloped or unstable regions.

She does all this while bringing the 71-year-old institution up-to-date through cloud and mobile technology so workers can be remote and critical information can be accessible from anywhere. We spoke with von Friedeburg about how new-school technology is shaping the old-school financial services organization and the shift companies big and small have to make when it comes to information security.

Q: Help us understand the scope of the technology challenges an organization like the World Bank faces?A: We’re all over the world -- little places, big places, hard to reach places -- South Sudan, Afghanistan. Some of the hardest places in the world to connect to. We have a staff of about 15,000 who make somewhere in the range of 125,000 to 150,000 trips a year. We put people on the road all the time, and they need to have to have access, anywhere and anytime, to all the data and information that the bank houses. When I took over, the bank had really fundamentally underinvested in technology. We hadn’t made any really big, strategic changes to our technology landscape since the late 1990s. We were only spending about $12 million dollars a year to connect all of our country offices. Nothing was really working properly.

Q: How so? What kind of problems was your team seeing?A: I was in my job about six months and I went to Mongolia. One of the task team leaders in Mongolia literally booted up the operations portal, we went to lunch, we came back and it was still loading the 800 data fields it needed to load. I was like, ok, this is a really serious problem.

Q: How have you addressed this?A: We put in place a multi-pronged strategy. The first was to attack the end-user, and standardize and improve the end-user devices [like phones and laptops and tablets]. Can we get them more immersed in a cloud-based environment? And while we’re making those changes, under the hood, also rip out a lot of the customized, underlying platforms and buy centralized platforms that we could re-use across the organization and use in a way that would allow us to take our really big applications and pare them down into a mobile applet. Instead of trying to open a monolithic application, you’re just going to open a little tiny slice of the application you need to get your job done.

Q: Why were these important?A: We really want to make our knowledge available to our teams in the field. If you’re working on your first water project, you could actually find the last five water projects that we’ve done that are applicable to what you’re trying to do, and connect to the people who worked on them. How do you make information flow more smoothly within the organization?

Q: How has cloud technology helped you deal with emergency situations?A: We use to have servers in all 220 of our offices. When a disaster hit we had technology people in all of those offices physically carry the servers out of the country offices with them and then reinstall them wherever we were going to operate. Now, we’re on Office 365 and Box. So, when it got really rough a few times this year at our Kabul office, we could leave everything in Kabul and move those 125 staffers north and have them functioning and operational instantly, as opposed to a week or two. Cloud technology has become about business continuity and operations and I didn’t envision that.

Q: What does a successful IT strategy for the World Bank look like? What tools are you using and why?A: For me, the successful strategy is that everyone will be mobile and will be able to be connected from anywhere so you won’t have to be physically in the office. We have about 246 applications that we use. If we are successful they will all eventually be redesigned and put in the cloud. We have five data centers now, but we won’t need five data centers. We may have one data center ourselves, but I do not envision us continuing to maintain all of our own servers. It’s expensive and we aren’t as good at it as [companies like Microsoft and Amazon] are.

Q: I imaging getting a 71-year old organization onto the cloud isn’t easy. How do you make a change like that happen?A: The most esoteric challenge we faced was getting the organization to even agree that we should have a cloud strategy. That took me the better part of 9 months. When I started the conversation, the lawyers said to me, putting World Bank data in the cloud would be like putting our data in a paper box, writing ‘Free’ on it and placing it on the curb. And I said, ‘well, not exactly.’

Also, we’d been an organization with a lot of bubble-gumming and shoe-stringing on the back end to hold things together. So, it was important to shift the mentality of the staff and shift our position in the organization to say ‘Listen, IT is not a cost to be constrained, we should be a strategic partner helping you be better at delivering solutions all the time.' I think those are the things we struggle with every day. We’ve done a lot work around culture, communication and changing perspective and mindset.

The other interesting thing is that the World Bank Group is founded by treaty so we are protected by something called our privileges and immunities. And it means that in any jurisdiction, our files and vaults are impenetrable by local law enforcement, so no one can subpoena the World Bank and request our information. And overcoming the idea that our data wouldn’t physically be behind our firewall and our data center was a really big hurdle for us.

Q: How will technology at the World Bank change in the next 10 years? A: The work we’re going to do is going to be more complex and cross-cutting. We’re no longer going to look at things in silos. From a technology perspective, if a country wants to have a citizen database, what can that database be used for? We could use it for social security, healthcare, driver’s licenses, etc. And we’ll be able to be build a database, not several databases. I think you’ll see technology that will solve development problems as well like education. I think energy is going to have to be driven in technology, and we’ll see the bank playing a big role in that. I think our role is going to get more interesting.

Q: Security is such a concern across the public and private sector. What approach is the World Bank taking to keep information safe?A: A little over three years ago, we created a new security strategy. Instead of building more exterior protections, we reclassified all of our data and information. We created about 250 classes of information and put it on a heat map, and we said, which of this is the critical crown jewel -- what drives the equivalent of our bottom line, how our treasury operations work, where we invest our money, highly confidential information about a company or country -- that we would never want to escape from the organization? All the way down to, which of the data do we think ‘who cares what happens to it?’ We have spent considerably more time thinking about keeping safe the crown jewel, and letting go of the things that are less relevant.

When I became a CIO five years ago, the first thing somebody said to me is ‘you don’t want security anywhere near you because if there is a security breach, you’ll lose your job.’ I think in the last five years, the context of security breaches has shifted. We try to spend time with our board and our other senior management talking about how we are vulnerable, and we will be breached. The question is: what do we do when we are breached? How do we respond, do we actually have the incident command in place from a communications standpoint? We spend a lot of time working on that. We no longer say that we’re safe. I think that’s the important shift for organizations to make.